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Method for checking the authenticity of a manager 
application in a telecommunications management network 
5 operating system by means of a network element, and a 
network element which is suitable for this purpose 

The present invention relates to a method for checking 
the authenticity of a manager application in a 
10 telecommunications management network operating system 
(TMN-OS) according to the precharacterizing clause of 
the method claim 1, and to an associated network 
element according to the precharacterizing clause of 
the apparatus claim 5 . 

15 

Switching devices, which are referred to as network 
elements, are used as nodes in a telecommunications 
network in order to coordinate the information flow in 
such networks. The network elements are managed by a 

20 specific operating system, the TMN-OS. For this 
purpose, they are connected together with the operating 
system to a specific management network, which is 
referred to as the telecommunications management 
network (TMN) ; the network elements are managed by the 

25 operating system TMN-OS communicating with the network 
elements via the TMN. 

The TMN-OS is formed from a large number of manager 
applications, each of which has an associated mating 
3 0 part, which is referred to as an agent application, in 
each network element . 

A manager application in the TMN-OS communicates with 
its associated agent application in the network element 
35 using a fixed defined communication protocol for each 
manager application/agent application pair. In this 
case, a distinction is drawn between "public" and "non- 
public" protocols. Published protocols, which are 
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referred to as open protocols, include, for example, 
the FTAM, FTP and Q3 protocols. In contrast to this, 
for example, the MML protocol, which is defined as 
being proprietary, that is to say manufacture-specific, 
is not published. 
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At the start of or during the handling of a 
communication protocol, it is possible to provide for 
the authenticity of a manager application to be checked 
by a network element. To do this, the manager 
5 application which wishes to set up a link to the 
network element must prove that it is that manager 
application which it claims to be. 

The authentication check is carried out by the manager 
10 application transmitting communicat ion-protocol - 

specific authentication data via the TMN to the network 
element, in response to which the network element 
compares the received authentication data with 
predetermined, stored authentication data. 

15 

The authentication check is highly complex since each 
communication protocol has not only a dedicated 
authentication check but also individual, protocol - 
specific authentication data. Various types of 

20 initiators and other data are used as authenticity 
data. The initiators include, for example, human user, 
user IDs and applications which are identified by an 
application entity title (AET) . Other data are: 
passwords, keys, replay protected passwords, randoms 

25 (random numbers) , date and time etc. 

In addition to these various protocol-specific 
authentication data items, a number of checking 
mechanisms, which are referred to as authentication 

3 0 types, are generally provided for each communication 
protocol, for carrying out the authentication check as 
shown in Figure 2 ; according to Figure 2 , for the Q3 
communication protocol for example, these are a simple 
password mechanism, a replay protected password 

35 mechanism, a pure identification, or a challenge and 
response method. 
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This means that, before each authentication check, one 
of the respectively available authentication types must 
be selected to carry out that particular authentication 
check. 

5 

Conventionally, there are therefore various software 
programs, which are referred to as protocol -specific 
applications, for each communication protocol and in 
some cases these even have different operator 
10 interfaces (MML, Q3) for managing the authentication 
data and the authentication types. 

The object of the method is to provide a method which 
is simpler than the conventional method for a network 
15 element to check the authenticity of a manager 
application and to provide a network element which is 
suitable for this purpose, in which method and network 
element the various protocol -specific applications for 
managing the authentication data are superfluous. 

20 

This object is achieved by the subject matters claimed 
in patent claims 1 and 5 . Further advantageous 
refinements of the invention are the subject matter of 
the independent claims. 

25 

According to patent claims 1 and 5, the object is 
achieved in particular in that the authentication check 
is carried out centrally in an authentication checking 
device in the network element for various manager 
30 applications, that is to say for various communication 
protocols, and in that the authentication checking 
device accesses an authentication databank in which the 
various authentication data for all the communication 
protocols used are stored centrally. 

35 

The method according to the invention and the 
associated network element offer the advantage that the 
authentication check can be carried out centrally and 
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in a standard manner for all communication protocols. 
There is therefore no need to carry out any 
communication-protocol -specif ic authentication checks. 
Furthermore, the central authentication databank 
5 results in the management of the various authentication 
data being considerably simplified, and in the costs 
being reduced. There is likewise no need for any 
different applications for management of the 
communication-protocol-specific authentication data. 

10 

Furthermore, the central authenticity checking device 
and the central authentication databank can be modified 
or expanded easily when other or additional 
communication protocols are used. 

15 

According to one advantageous refinement of the method, 
the central authentication databank is managed by a 
dedicated communication protocol . In this way, the 
management of the various authentication data for the 
2 0 various communication protocols is standardized by, for 
example, providing a standard operator interface (MML, 
Q3) for the management of the various authentication 
data . 

2 5 It is advantageous for different communication 
protocols to be provided for interchanging different 
information for communication between the manager 
applications in the TMN-OS and the agent applications 
in the network element . 

30 

In a preferred development of the checking method 
according to the invention, the step of authentication 
checking is carried out centrally in the network 
element not only for each individual communication 
35 protocol, but also for different authentication types. 
This centralization also saves costly communication- 
protocol-specific individual solutions. 
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Finally, for the network element designed for carrying 

out the method, it is advantageous for the central 

authentication databank to be managed by a management 
device 
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which is controlled by the TMN-OS via a dedicated agent 
application within the network element. In addition to 
saving communication-protocol-specific individual 
solutions for managing the communication-protocol - 
5 specific authentication data, this development 
furthermore allows decoupling of telecommunication- 
specific communication and management communication 
between the TMN-OS and the network element. 

10 The following text contains a detailed description of 
one preferred exemplary embodiment of the invention, 
with reference to the attached figures. 

Figure 1 shows a TMN as a connecting network between a 
15 TMN-OS and a network element according to the present 
i nvent i on ; and 

Figure 2 shows a tabular association between 
communication protocols and respective possible 
20 authentication types. 

A network element in a communications network is 
managed by a telecommunications management network 
operating system (TMN-OS) . Figure 1 shows the coupling 

25 of the network element to the TMN-OS via a TMN that is 
required for this purpose . The TMN-OS has a large 
number of manager applications 50, 60... 100, which are 
implemented either in hardware, but normally in 
software. One or more of these manager applications can 

3 0 then run on a computer. 

The network element in each case has a corresponding 
mating part, which is referred to as an agent 
application 55, 65... 105, in the TMN-OS for each 
35 manager application. Using these agent applications, 
the network element communicates via the TMN with the 
manager applications 50, 60... 100 in the TMN-OS. Each 
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manager application communicates with its associated 
agent application in the form of an individual 



dc-272397 



GR 99 P 1471 - 5a - 

communication protocol. In this case, the following 
constellations are possible, according to Figure 1: 
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the File Transfer Access Management (FTAM) manager 
application 50 communicates with the FTAM agent 
application 55; 

5 the File Transfer Protocol (FTP) manager application 60 
communicates with the FTP agent application 65; 

the Man Machine Language (MML) manager application 70 
communicates with the MML agent application 75; and 

10 

the Q3 manager applications 80, 100 communicate with 
the Q3 agent applications 85, 105 in the network 
element . 

15 A unilateral authentication check is considered, in 
which the network element checks, before setting up a 
connection to the TMN-OS, whether the manager 
application which wishes to set up a connection is that 
which it claims to be. The authentication check can be 

20 carried out not only before but also during the 
handling of a communication protocol, in which case it 
is then what is referred to as reauthentication . 

In the course of the unilateral authentication check 
25 shown in Figure 1, a manager application 50, 60... 100 
which wishes to set up a connection to the network 
element initially sets up the protocol elements 
required for carrying out the authentication check as a 
function of its communication protocol, its initiators 
30 and a selected authentication type, and sends these to 
the network element. These protocol elements are then 
received and evaluated by the network element . During 
the evaluation process, the authentication data 
required for carrying out the authentication check is, 
35 in particular, filtered out of the protocol elements. 
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Each of the communication protocols used, for example 
the FTAM, FTP, MML or Q3 communication protocol, each 
has its own dedicated authentication data. 
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Various types of initiators and other data are used as 
authentication data. The initiators include, for 
example, human user, user IDs and applications which 
are identified by an Application Entity Title (AET) . 
5 Other data are: passwords, keys, relay protected 
passwords, randoms (random numbers), date or time etc. 

The authentication data selected by the agent 
applications 55, 65... 105 are passed on within the 
10 network element to a central authentication checking 
device 20, where they are used for carrying out the 
actual authentication check. 

According to Figure 2, a number of mechanisms, which 
15 are referred to as authentication types, are available 
for each manager application and for each communication 
protocol to carry out an authentication check. One of 
the possible authentication types is selected and 
predetermined in each specific case for each 
20 authentication check. 

The authentication check is carried out in such a 
manner that the central authentication checking device 
20 checks whether the authentication type desired by 

25 the manager application is valid for that communication 
protocol and for that initiator, and whether the 
received protocol -specif ic authentication data match 
the original authentication data stored in advance in a 
central authentication databank 10. If they match, the 

30 central authentication checking device confirms that 
the requesting manager application is authorized to set 
up a desired connection. The following example relates 
to this : 

35 With regard to future communications between the TMN-OS 
and the network element, authentication data for a 
protocol which is to be used are initially stored in 
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the central authentication databank 10. This is done in 
such a way that 
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a Q3 manager application requests a Q3 management 
device 3 0 within the network element to enter the 
initiator "HUGO" in the central authentication databank 
10, for example for future communication using the FTAM 
5 protocol, and such that this must use the "simple 
password mechanism" authentication type for 
authentication and such that its identification word is 
"ABCD1#" . 

10 Before each subsequent connection is set up using an 
FTAM communication protocol, the central authentication 
checking device 20 in the network element then carries 
out the authentication check as follows: 

15 From the FTAM agent application 55 in the network 
element, it receives the information that the FTAM 
manager application 50 would like to set up a 
connection, with the manager application outputting 
"HUGO" as the initiator for the desired connection, and 

20 asserting that its identification word is "ABCD1#" . The 
central authentication checking device 2 0 then compares 
these data with the original authentication data, 
already stored in the central authentication databank 
10, for the FTAM communication protocol and the "HUGO" 

25 initiator and, if they match, allows the connection to 
be set up. 

At the end of an authentication check, the manager 
application is told by its associated agent application 

3 0 the result of its check together with the consequences 
resulting from this for the setting up of a connection. 
The following decisions are possible consequences of 
the result: the requested setting up of a connection 
takes place, the requested setting up of a connection 

35 is rejected, or the setting up of a connection is 
terminated after having been started. 
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The central authentication checking device 2 0 carries 
out the authentication check, which is described by way 
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of example for the FTAM communication protocol, in the 
same way for all the other 
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communication protocols used. In this instance, in each 
individual case, it accesses the central authentication 
databank 10, in which the authentication data for all 
the communication protocols are stored. 

5 

As can be seen in Figure 1, the central authentication 
databank 10 is managed by a dedicated Q3 manager 
application 100 in the TMN-OS. In this case, the 
communication of the Q3 manager application 100 with 

10 the network element likewise takes place using the TMN 
and an associated Q3 agent application 105. In the 
network element, the Q3 agent application 105 controls 
the Q3 management device 30, which directly manages the 
central authentication databank 10. Typical 

15 administration commands which the Q3 management device 
30 receives from the Q3 manager application 100 or from 
its associated Q3 agent application 105 are, for 
example, the entry, the amendment or the deletion of 
data in the central authentication databank 10. 

20 

In addition to the unilateral authentication check 
discussed so far, it is in principle also possible to 
carry out a mutual (or reciprocal) authentication check 
which, in addition to the described unilateral 

25 authentication check, also provides for the checking of 
the authenticity of a network element and/or of the 
agent application by a manager application. In this 
case, the agent application which wishes to set up 
communication to the operating system or to a manager 

3 0 application in the operating system must verify to the 
manager application that it is that agent application 
which it claims to be. 
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